Prev Question
Next Question

Your network contains an Active Directory domain named contoso.com. The functional level of the domain and the forest is Windows Server 2008 R2.
All domain controllers run Windows Server 2008 R2.
You plan to deploy a new line-of-business application named App1 that uses claims-based authentication.
You need to recommend changes to the network to ensure that Active Directory can provide claims for App1.
What should you include in the recommendation? (Each correct answer presents part of the solution. Choose all that apply.)

A. From the properties of the computer accounts of the domain controllers, enable Kerberos constrained delegation.

B. From the Default Domain Controllers Policy, enable the Support for Dynamic Access Control and Kerberos armoring setting.

C. Deploy Active Directory Lightweight Directory Services (AD LDS).

D. Raise the domain functional level to Windows Server 2012.

E. Add domain controllers that run Windows Server 2012.

Explanation:
E: You must perform several steps to enable claims in Server 2012 AD. First, you must upgrade the forest schema to Server 2012. You can do so manually through
Adprep, but Microsoft strongly recommends that you add the AD DS role to a new Server 2012 server or upgrade an existing DC to Server 2012.
B: Once AD can support claims, you must enable them through Group Policy:
From the Start screen on a system with AD admin rights, open Group Policy Management and select the Domain Controllers Organizational Unit (OU) in the
domain in which you wish to enable claims.
Right-click the Default Domain Controllers Policy and select Edit.
In the Editor window, drill down to Computer Configuration, Policies, Administrative Templates, System, and KDC (Key Distribution Center).

Open KDC support for claims, compound authentication, and Kerberos armoring.
Select the Enabled radio button. Supported will appear under Claims, compound authentication for Dynamic Access Control and Kerberos armoring options

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *